HIPAA Compliant Email Explained

HIPAA Email Explained by Using Services like Google WorkspaceIntroduction to HIPAA Compliant Email

The standards established for HIPAA compliant email require safe and secure methods of transmitting healthcare data and information by healthcare providers and their business associates. Like with most business entities, healthcare providers need to communicate using email as well as other types of electronic communication mediums. The HIPAA requires that all communication mediums used in the transfer of health data provide safe and secure methods of transmission.

The tradition of email communication is as provided over the Internet with no methods of securing the content from interception. Other information, such as usernames, passwords and attachments that are associated with email messages, is as vulnerable to interception as the content of email messages. As such, traditional email messages and associated information are vulnerable to compromise by third parties. In order for healthcare providers and their business associates to safely transmit healthcare data and information via email, they must incorporate a HIPAA compliant email service in their IT infrastructure. This type of service requires data encryption using secure servers in order to protect transmitted information.

Healthcare providers have the option of developing their own secure, encrypted HIPAA email service or they may choose among the many HIPAA compliant email providers. Healthcare providers who develop their own systems have the responsibility of encrypting and decrypting health data to keep it secure. The requirements for secure HIPAA email transmissions only apply to healthcare providers and their business associates who are defined as HIPAA covered entities. Patients who make use of the services offered by healthcare providers are not required to communicate using secure email. A viable email service provider will have the ability to encrypt information and data sent by patients and other approved sources of insecure email as soon as the information reaches their servers and then have the capability to secure all further communications using their servers.

HIPAA Compliant Email Explained

The tradition of email use has proved to be great for communication, but because more often than not, traditional email is transmitted over the internet with no methods in place to prevent the interception of content, email can be vulnerable to hacking and the disclosure of information that users may want to keep private. The ability of healthcare providers to use HIPAA and email and also meet the requirements of the HIPAA privacy and security rules is an issue that needs to be resolved, particularly as it applies to communicating with patients and other entities who are not considered covered entities (CEs) under the HIPAA.

How CEs Communicate PHI With Patients
The HIPAA Privacy Rule allows for CEs to use email to communicate with patients so long as certain precautions are put in place to prevent a breach of data when combining HIPAA and email. However, the rule does not specify precautions for patients who choose to communicate with their healthcare providers via email. Instead, the Privacy Rule specifies that healthcare providers may presume such communication is acceptable to the patient unless the patient indicates otherwise. However, there will be instances where a patient will request or send Protected Health Information (PHI) without regard to the need to secure it for transmission. The HIPAA Privacy Rule further specifies that a healthcare provider may disclose the risks and liabilities of such actions if the healthcare provider believes the patient may not be aware of the risks and liability associated with unprotected email and then let the patient determine whether to continue such communications.

Healthcare providers have a responsibility to educate patients about the security risks associated with transmitting Protected Health Information (PHI) through email using insecure Internet connections. To reduce their liability for such actions, healthcare providers may choose to issue warnings and reminders when communicating with patients, such as when requesting information or responses. If after being informed of the potential to breach private data, a patient insists upon insecure communication methods, healthcare providers should document any consent to transmit such communication as it applies to the particular patient.

The Privacy Rule provides patients with the right to request communication via alternative methods or at alternative locations if the alternatives are considered to be reasonable by the healthcare provider. The HIPAA Security Rule then demands that covered entities implement safeguards to protect the integrity of, restrict access to and guard against unauthorized access to Electronic Protected Health Information (ePHI). Standards for the transmission of ePHI require using HIPAA and email with adequate protections and data encryption over open networks.

HIPAA Compliant Email Hosting

As an alternative to traditional email communications, a healthcare provider may implement or outsource the development of a health record system that offers a portal for patient use with secure channels. The objective would then be to ensure that patients make use of the secure channels of communications rather than send PHI though insecure email. Another alternative is to implement or outsource the development of a secure HIPAA Compliant Email application. Building a HIPAA Compliant Email Hosting solution may be too complicated for some healthcare providers, so they will need to seek the services HIPAA compliant email Hosting providers. If a healthcare provider chooses to make use of a HIPAA Compliant Email Hosting provider, methods of risk assessment and testing will need to be implemented to ensure that healthcare providers are able to document and attest to the security of the outsourced application. Even large providers like Microsoft (Office 365 HIPAA) and Google Apps (Gmail HIPAA) are offering HIPAA compliant email services, and so does many smaller providers. Short of these alternatives, healthcare providers will need to manually encrypt email communications that contain PHI or avoid the inclusion of PHI in email transmissions. There’s also the ability to use HIPAA compliant cloud storage or HIPAA compliant hosting.

Further reading

We are constantly adding new articles on HIPAA compliant email and related services on our blog. Our current posts on HIPAA email are:

Is Gmail HIPAA Compliant – The Definitive Answer
Why your email should be HIPAA compliant
by Hoala Greevy, founder and CEO of Paubox
HIPAA Security Rule Compliance Checklist